Executive Summary
In February 2026, Zyxel identified a critical command injection vulnerability (CVE-2025-13942) in the UPnP function of several router models, including 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, and wireless extenders. This flaw allows unauthenticated remote attackers to execute operating system commands on affected devices by sending specially crafted UPnP SOAP requests. While the vulnerability has a CVSS score of 9.8, its exploitation is contingent upon both UPnP and WAN access being enabled, with the latter disabled by default. Zyxel has released security patches to address this issue and strongly advises users to update their firmware promptly.
The significance of this vulnerability is underscored by the widespread deployment of Zyxel devices, often provided by internet service providers as default equipment. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is monitoring multiple Zyxel vulnerabilities, highlighting the ongoing risk to network security.
Why This Matters Now
The CVE-2025-13942 vulnerability poses a significant risk due to the extensive use of Zyxel routers in both consumer and enterprise environments. Unpatched devices are susceptible to remote exploitation, potentially leading to unauthorized access and control over network infrastructure. Immediate firmware updates are crucial to mitigate this threat and protect sensitive data and services.
Attack Path Analysis
An unauthenticated attacker exploited a command injection vulnerability in the UPnP function of Zyxel EX3510-B0 routers, gaining remote access. With this access, the attacker executed operating system commands to escalate privileges and establish control over the device. The compromised router was then used as a pivot point to move laterally within the network, targeting other connected systems. The attacker established a command and control channel to maintain persistent access and control over the compromised devices. Sensitive data was exfiltrated from the network through the compromised router. Finally, the attacker disrupted network services by modifying configurations or deploying malware, impacting the organization's operations.
Kill Chain Progression
Initial Compromise
Description
An unauthenticated attacker exploited a command injection vulnerability in the UPnP function of Zyxel EX3510-B0 routers, gaining remote access.
Related CVEs
CVE-2025-13942
CVSS 9.8A command injection vulnerability in the UPnP function of certain Zyxel devices allows unauthenticated remote attackers to execute OS commands via crafted UPnP SOAP requests.
Affected Products:
Zyxel DX4510-B0 – < 5.17(abyl.10.1)c0
Zyxel DX4510-B1 – < 5.17(abyl.10.1)c0
Zyxel EE6510-10 – < 5.19(acjq.4.1)c0
Zyxel EMG6726-B10A – < 5.13(abnp.8.2)c1
Zyxel EX2210-T0 – < 5.50(acdi.2.4)c0
Zyxel EX3510-B0 – < 5.17(abup.15.2)c0
Zyxel EX3510-B1 – < 5.17(abup.15.2)c0
Zyxel EX5510-B0 – < 5.17(abqx.11.1)c0
Zyxel EX5512-T0 – < 5.70(aceg.5.4)c0
Zyxel EX7710-B0 – < 5.18(acak.1.6)c0
Zyxel LTE3301-PLUS – < 1.00(abqu.9)c0
Zyxel Nebula LTE3301-PLUS – < 1.18(acca.6)v0
Zyxel Nebula NR7101 – < 1.16(accc.1)v0
Zyxel NR7101 – < 1.00(abuv.12)b2
Zyxel PX3321-T1 – < 5.44(achk.3)c0, < 5.44(acjb.1.5)c0
Zyxel PX5301-T0 – < 5.44(ackb.0.6)c0
Zyxel VMG4927-B50A – < 5.13(ably.10.2)c0
Zyxel WX5610-B0 – < 5.18(acgj.0.5)c0
Exploit Status:
no public exploitReferences:
https://nvd.nist.gov/vuln/detail/CVE-2025-13942https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Exploitation of Remote Services
Exploitation for Client Execution
Valid Accounts
External Remote Services
Network Service Scanning
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement strong authentication mechanisms
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical RCE vulnerability in Zyxel routers threatens core network infrastructure, enabling command injection attacks that could disrupt service delivery and compromise customer data.
Internet
ISP-provided Zyxel equipment exposes millions of internet subscribers to remote exploitation via UPnP command injection, requiring immediate firmware updates and network segmentation.
Financial Services
Router infrastructure vulnerabilities create lateral movement risks for financial institutions, potentially violating PCI compliance requirements and enabling data exfiltration through compromised network devices.
Health Care / Life Sciences
Medical facility network routers vulnerable to RCE attacks threaten HIPAA compliance and patient data security through potential lateral movement and encrypted traffic interception.
Sources
- Zyxel warns of critical RCE flaw affecting over a dozen routershttps://www.bleepingcomputer.com/news/security/zyxel-warns-of-critical-rce-flaw-affecting-over-a-dozen-routers/Verified
- Zyxel Security Advisory for Null Pointer Dereference and Command Injection Vulnerabilities in Certain 4G LTE/5G NR CPE, DSL/Ethernet CPE, Fiber ONTs, Security Routers, and Wireless Extendershttps://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026Verified
- CVE-2025-13942 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-13942Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit vulnerabilities, escalate privileges, and move laterally within the network, thereby reducing the overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the command injection vulnerability may have been constrained, reducing the likelihood of initial remote access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and gain control over the device could have been limited, reducing the scope of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network may have been constrained, limiting access to other connected systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels could have been limited, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, reducing data loss.
The attacker's ability to disrupt network services could have been limited, reducing operational impact.
Impact at a Glance
Affected Business Functions
- Network Connectivity
- Internet Access
- Remote Management
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of network configurations and connected device information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
- • Utilize Cloud Firewall (ACF) to control and monitor outbound traffic, preventing unauthorized data exfiltration.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to suspicious activities promptly.
- • Regularly update and patch network devices to mitigate known vulnerabilities and reduce the attack surface.
